CN103984908A - South bridge chip and application method thereof - Google Patents
South bridge chip and application method thereof Download PDFInfo
- Publication number
- CN103984908A CN103984908A CN201410186552.6A CN201410186552A CN103984908A CN 103984908 A CN103984908 A CN 103984908A CN 201410186552 A CN201410186552 A CN 201410186552A CN 103984908 A CN103984908 A CN 103984908A
- Authority
- CN
- China
- Prior art keywords
- computer system
- processor
- south bridge
- bridge chip
- safe condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012545 processing Methods 0.000 claims abstract description 55
- 238000001514 detection method Methods 0.000 claims abstract description 14
- 230000008569 process Effects 0.000 claims description 24
- 238000012546 transfer Methods 0.000 claims description 4
- 230000006378 damage Effects 0.000 abstract description 7
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 4
- 230000003213 activating effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012937 correction Methods 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000011282 treatment Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010304 firing Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000505 pernicious effect Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a south bridge chip and an application method thereof and belongs to the technical field of computer system security. The south bridge chip comprises a detection unit, a processing unit and a state setting unit, wherein the state setting unit is connected with an external input unit and is respectively connected with the detection unit and the processing unit. The application method comprises the following steps of acquiring an external input instruction; setting the computer system to be positioned in a first-stage security state during normal work according to an instruction; setting the computer system to be positioned in a second-stage security state in which the detection unit is started according to the instruction; setting the computer system to be positioned in a third-stage security state in which the processing unit is started according to the instruction. The technical scheme has the beneficial effects that the damage to the computer system due to an illegal instruction or harmful data from internet is avoided; meanwhile, working performances of the computer system are maintained to a certain degree; in addition, the south bridge chip is simple in realization and is lower in cost.
Description
Technical field
The present invention relates to computer system security technical field, relate in particular to a kind of South Bridge chip and application process thereof.
Background technology
Along with extensively popularizing of scientific-technical progress and internet, national security especially national information safety has become more and more important.The little service terminal to personal computer and enterprise-level, arrives greatly the computer system of community service industry, and whole national security system, is all likely subject to the attack from disable instruction or harmful data of internet.Further, due to the current process chip of country and supporting computer hardware development ripe not enough, for the consideration in performance, in general computer system, no matter be to use or use as enterprise or country as individual, all can adopt external high-performance treatments chip.But these process chip, have likely added different " safe back door " programs therein.So-called " safe back door ", refer to and in process chip or storer, leave some hiding unused codes or harmful data, assailant can send some activation instructions by internet and activate these " safe back doors ", thereby utilizes these " safe back doors " to reach the object of the normal work of destruction of computer systems.Because these " safe back doors " can fire conventionally in process chip or storer, under normal duty, user is difficult to find or cannot find at all these disable instructions or harmful data, and abandon external high-performance treatments chip, can cause the decline in computer system usability again.
Chinese patent (CN1520537) discloses a kind of methods, devices and systems that can closing back door access mechanism.Processor comprises the first register, and this register is set for and can be stored one or more hardware debug test (hardware-debug-test, HDT) activating positions; The first steering logic being connected is to receive a plurality of HDT input signals; And the second steering logic being connected with the first register.The connected mode of the first steering logic makes it can access the first register, and the second steering logic is arranged in, the first register is interior stores one or more default values to respond the replacement of this processor.Another one processor comprises that the first connected steering logic is in order to receive a plurality of microcode inputs; The first register being connected with the first steering logic; And the second steering logic being connected with the first register.The first register is set for and is made it can store one or more microcode load device activating positions, and the second steering logic is set the one or more default values of storage in the first register, with the replacement of answer processor.Technique scheme relates generally to the improvement to process chip inside, but for external high performance process chip, the storage organization that it is inner and processor architecture are conventionally externally also underground, user also not necessarily possesses the technical ability of relevant change processor architecture, so technique scheme be not suitable for solution problems of the prior art.
Summary of the invention
According to the defect existing in prior art, a kind of South Bridge chip and application process thereof are now provided, specifically comprise:
A South Bridge chip, is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; Wherein, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
State set unit, connect an outside input block, and connect respectively described detecting unit and described processing unit, for the steering order of inputting according to described input block, the safe condition of described computer system is set to the first order safe condition of the normal work of computer system, or the second level safe condition of enable detection unit, or enable the third level safe condition of described processing unit.
Preferably, this South Bridge chip, wherein, described state set unit, when described computer system is set in described third level safe condition, is closed described processor.
Preferably, this South Bridge chip, wherein, also comprises:
The first storage unit, connects described processing unit, for preserving a second default operating system;
Described the second operating system is lowered in order to control described computer working at described third level safe condition for described processing unit;
Preferably, this South Bridge chip, wherein, is preset with a plurality of executable instructions in described processor;
Described the first operating system is called by described processor under the safe condition of the described second level;
Described South Bridge chip also comprises:
Addressing interception unit, runs under described the first operating system, for the corresponding storage address information of a plurality of described executable instruction that defaults in described processor of needs shielding is set as to suspicious storage address information, and
The storage address information that the addressing request that is sent to described processor is comprised is mated with described suspicious storage address information, and interception is matched with the described addressing request of described suspicious storage address information.
An application process for South Bridge chip, described South Bridge chip is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; Wherein, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
The application process of described South Bridge chip specifically comprises:
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to the described computer system of described instruction;
Step S3, is set in starting under the second level safe condition of described detecting unit according to the described computer system of described instruction;
Step S4, is set in starting under the third level safe condition of described processing unit according to the described computer system of described instruction.
Preferably, the application process of this South Bridge chip, wherein,
In described step S2, described computer system adopts one first operating system to work under described first order safe condition;
In described step S3, described computer system adopts described the first operating system to work under the safe condition of the described second level;
In described step S4, described computer system adopts one second operating system to work under described third level safe condition.
Preferably, the application process of this South Bridge chip, wherein, in described step S4, under described third level safe condition, described processor is closed, and described processing unit substitutes described processor work.
Preferably, the application process of this South Bridge chip, wherein, is preset with a plurality of executable instructions in described processor;
Adopt described the first operating system that the corresponding storage address information of a plurality of described executable instruction defaulting in described processor of needs shielding is set as to suspicious storage address information;
Described step S3 specifically comprises:
Step S31, is arranged at described computer system under the safe condition of the described second level according to described instruction;
Step S32, controls described computer system according to described instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the described addressing interception unit running in described the first operating system by the corresponding storage address information of a plurality of described executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of described processor comprises and whether to be matched with described suspicious storage address information:
If the described storage address information that described addressing request comprises is matched with described suspicious storage address information, go to step S35;
If the described storage address information that described addressing request comprises does not match described suspicious storage address information, return to described step S34;
Step S35, tackles described addressing request, and returns to described step S34.
The beneficial effect of technique scheme is: avoid disable instruction or the infringement of harmful data to computer system from internet, simultaneously keep to a certain extent the serviceability of computer system, and realize fairly simplely, cost is lower.
Accompanying drawing explanation
Fig. 1 is in preferred embodiment of the present invention, and a kind of South Bridge chip is applied to the structural representation in computer system;
Fig. 2 is in preferred embodiment of the present invention, a kind of structural representation of South Bridge chip;
Fig. 3-4th, in preferred embodiment of the present invention, the schematic flow sheet of South Bridge chip application process.
Embodiment
Below in conjunction with the drawings and specific embodiments, the invention will be further described, but not as limiting to the invention.
In preferred embodiment of the present invention, be illustrated in figure 1 a kind of South Bridge chip 1, be arranged in the mainboard A of computer system.Conventionally on mainboard A, also comprise processor 2, storer 3 and north bridge chips 21.In prior art, north bridge chips is connected between processor 2 and South Bridge chip 1, South Bridge chip 1 is gone back connected storage 3.
Conventionally, in computer system, north bridge chips 21 is main to be responsible for and the contacting of processor 2, and control internal memory, be responsible for AGP (Accelerated Graphic Ports, PC graphic interface) data are in north bridge internal transmission, provide the type of processor and dominant frequency, the front-side bus frequency of system, supports such as the type of internal memory and max cap., AGP slot, ECC error correction (Error Correcting Code, bug check and correction).And South Bridge chip 1 is gone back connected storage 3, and comprise the interface being connected with external network 4, be mainly used in being responsible for the communication between I/O bus, comprise data and the instruction of external network transmission, and the data of calling from storer and instruction are sent to processor 2.
Along with development in science and technology, the mainboard A in computer system need to do more and more meticulouslyr, and it is more and more less that volume becomes, and an integrated large-scale north bridge chips and large-scale South Bridge chip obviously do not meet the requirement of mainboard miniaturization in mainboard.Therefore, common way be by relatively near the major part in the north bridge chips 21 of processor even repertoire be integrated in (as shown in Figure 1) in processor chips 2, the residue function that is not incorporated into the north bridge chips in processor chips 2 is shared by South Bridge chip 1, therefore in prior art, traditional South Bridge chip 1 passes through above-mentioned improvement, the platform that is otherwise known as is controlled hub (Platform Controller Hub, or integrated south bridge PCH).Therefore, the mainboard framework of whole computer system has just been simplified, and process also can be done less and less, meets gradually the requirement of modern mainboard miniaturization.
In preferred embodiment of the present invention, as shown in Figure 2, above-mentioned South Bridge chip 1 specifically comprises:
Detecting unit 11, for detection of the security that is sent to the data of processor 2, particularly, whether the data and the instruction that for detection of external network 4 or storer 3, to processor 2, send have safety issue.In preferred embodiment of the present invention, so-called safety issue, is generally to judge whether whether it is malicious instructions, for example, comprise the instruction of control system automatic shutdown.In preferred embodiment of the present invention, when detecting the data that sent to processor 2 by external network 4, detecting unit 11 may damage computer system, or the data that processor 2 calls from storer 3 detected and may damage computer system, these data of detecting unit 11 interception, to guarantee that processor 2 normally works.
Processing unit 12, for replacing processor 2 to carry out work when processor 2 quits work.In preferred embodiment of the present invention, above-mentioned processor 2 is the processor chips that computer system adopts conventionally, can think external high-performance processor chip.But in this class high-performance processor chip, may include some artificial " safe back doors " that arrange, more for example, default in some malicious instructions in processor chips.When by external network or by calling the instruction being stored in storer while activating the above-mentioned malicious instructions defaulting in processor chips, may cause certain destruction to whole computer system.Therefore,, in the situation that some level of securitys are higher, adopt a kind of processor chips without embedded " safe back door " (being processing unit 12) to replace high-performance processor chip (being processor 2) work originally.In preferred embodiment of the present invention, due to not embedded malicious instructions in processing unit 12, and further, in order to prevent producing new malicious instructions by splicing and combining of some command content, not embedded certain base instruction in above-mentioned processing unit 12, so the more traditional processor 2 of the processor performance of this processing unit 12 is low.In the situation that some safe classes are higher, in preferred embodiment of the present invention, by some handling properties of suitable sacrifice, guarantee the safe operation of computer system.
State set unit 13, the input block 5 of connection one outside, for obtaining the steering order of outside input.In preferred embodiment of the present invention, state set unit 13 also connects respectively detecting unit 11 and processing unit 12, and connects above-mentioned processor 2.When state set unit 13 receives after above-mentioned steering order, according to different steering order computer systems, be set under corresponding safe condition.Be specially:
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in first order safe condition lower time, state set unit 13 is controlled computer systems and is normally worked, now detecting unit 11 and processing unit 12 all in disable state.
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in second level safe condition lower time, state set unit 13 start detection unit 11, detecting unit 11 is now in enabled state, and processing unit 12 is still in enabled state not.Detecting unit 11 is started working, and detects and tackle the disable instruction or the harmful data that are sent to processor 2.
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in third level safe condition lower time, state set unit 13 starts processing unit 12, now processing unit 12 is in enabled state, and replace processor 2 work, to support whole computer system, normally move.
Further, in preferred embodiment of the present invention, in the time of under above-mentioned third level safe condition, first state set unit 13 closes processor 2 before starting processing unit 12.After stopping processor 2, processing unit 12 is activated and replaces processor 2 to work.
In preferred embodiment of the present invention, when above-mentioned computer system is normally moved, adopt one first operating system work.
In preferred embodiment of the present invention, in above-mentioned South Bridge chip, also comprise:
The first storage unit 14, connects above-mentioned processing unit, wherein preserves one second operating system.In preferred embodiment of the present invention, after processing unit 12 is enabled, adopt the second operating system work.Further, in preferred embodiment of the present invention, above-mentioned the second operating system can be the operating system of independent research and development, can be also other operating systems of increasing income.
Further, in preferred embodiment of the present invention, in above-mentioned the first storage unit 14, also preserve for realizing the ultimate system information of system bottom operation.
In preferred embodiment of the present invention, above-mentioned ultimate system information, it is BIOS system information, Basic Input or Output System (BIOS) (Basic Input Output System) information namely, be mainly used in self-check program and system self-triggered program etc. after the start of the system that realizes, the basic setup information that comprises system, major function provides the bottom, the most direct hardware setting and control for computing machine.
In preferred embodiment of the present invention, the advantage that above-mentioned the first storage unit 14 is set is:
1) due to the CMOS process compatible for advanced, and can with external network, between processor 2/ processing unit 12 and Installed System Memory, keep hypervelocity access, simultaneously in order to guarantee the miniaturization of system board A, the first storage unit 14 can be for taking the novel storer of backend process processing procedure, phase transition storage (phase change memory for example, PCM), magnetic store (Magnetic Random Access Memory, MRAM), variable resistance type storer (Resistive Random Access Memory, ReRAM) and ferroelectric memory (Ferroelectric Memory, FeRAM) etc.The memory cell area of above-mentioned novel storer is far smaller than traditional Flash storer, and its scalability is also far superior to traditional Flash storer.
Further, in preferred embodiment of the present invention, owing to having adopted above-mentioned novel storer, therefore promoted the capability of resistance to radiation of the first storage unit 14.
2) if the first storage unit 14 is separated with South Bridge chip and be connected by external interface, be easier to receive external attack, for example bypass attack (Side Channel Attack).When the first storage unit 14 suffers external attack, system essential information wherein may be changed, thereby the startup item of change computing machine and hardware controls etc. work the mischief to computer system.And the first storage unit 14 is integrated in South Bridge chip, can effectively prevent above-mentioned attack, the security of elevator system.
3) the first storage unit 14 is integrated in South Bridge chip 1 rather than by outside serial ports and is connected, can promote the speed that processing unit 12 loads the ultimate system information of preserving in the first storage unit 14, and then promote the toggle speed of computer system.
In preferred embodiment of the present invention, above-mentioned the first storage unit 14 also can be arranged at outside South Bridge chip and by external interface and be connected with South Bridge chip.
In preferred embodiment of the present invention, in processor 2, be preset with a plurality of executable instructions.
When state set unit 13 computer systems were set in second level safe condition lower time, according to different steering orders, state set unit 13 control processors 2 enable to run on the addressing interception unit in the first operating system.
In preferred embodiment of the present invention, the addressing interception unit running in the first operating system is called under the safe condition of the second level for processor, so that the corresponding storage address information of a plurality of executable instructions defaulting in processor of needs shielding is set as to suspicious storage address information;
In preferred embodiment of the present invention, as noted before, default in the executable instruction in processor 2, may be can destruction of computer systems soft hardware equipment malicious instructions.The executable instruction of these malice is also inoperative at ordinary times, but can to processor 2, send specific disable instruction to activate the executable instruction of these malice by external network or internal storage completely, thereby reaches the object of destruction of computer systems.Therefore, in preferred embodiment of the present invention, first utilize the methods such as reverse engineering to find out the memory address of the executable instruction of malice, adopt subsequently the addressing interception unit of moving in the first operating system the memory address of these executable instructions to be set as needing the suspicious memory address of conductively-closed in processor 2.
In preferred embodiment of the present invention, under the safe condition of the above-mentioned second level, when processor adopting the first operating system work, this addressing interception unit is activated, and for obtaining the addressing request that is sent to processor 2.The memory address that addressing interception unit comprises addressing request is mated with the suspicious memory address that needs conductively-closed of setting, and the interception addressing request that the match is successful, comprising the addressing request that has suspicious memory address.
Further, in preferred embodiment of the present invention, through the modes such as above-mentioned reverse engineering, suspicious memory address scope of delimiting a credible instruction in processor 2, and the memory address scope of a suspicious instruction.Certainly, the above-mentioned executable instruction picking out in modes such as reverse engineerings is enumerative, that is to say, the memory address scope of credible instruction and the memory address scope of suspicious instruction are added and are not equal to the memory address scope of preserving executable instruction in whole processor 2.
In preferred embodiment of the present invention, the memory address scope of suspicious instruction needs conductively-closed, therefore first adopt addressing interception unit by the memory address scope shielding of suspicious instruction, with interception, be matched with the addressing request of above-mentioned memory address scope, thereby guarantee that above-mentioned suspicious instruction is not activated.
Further, in preferred embodiment of the present invention, after upgrading is attacked in outside instruction, likely there is following situation: outside attack instruction enables certain part in a credible instruction, and thereby certain part in another credible instruction is combined and forms a new executable instruction, and this new executable instruction forming may be malice.In this case, not only need to shield the memory address scope of suspicious instruction, also need to shield the memory address scope of credible instruction, therefore expand the setting range of suspicious memory address, for the interception of addressing interception unit, be matched with the addressing request of the above-mentioned suspicious memory address being set.
In preferred embodiment of the present invention, owing to having shielded in these cases default executable instruction in most of processors 2, therefore the runnability for processor 2 can produce certain impact.
In preferred embodiment of the present invention, in the time of under second level safe condition or third level safe condition, state set unit 13 receives steering order and requires to switch to first order safe condition, state set unit 13 is closed detecting unit 11 or processing unit 12, and open processor 2 (if now processor 2 is in closed condition), so that computer system is recovered normal operating conditions.
As shown in Figure 3, in preferred embodiment of the present invention, a kind of application process to above-mentioned South Bridge chip, specifically comprises;
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to instruction computer system;
In preferred embodiment of the present invention, under above-mentioned first order safe condition, computer system is normally worked, and detecting unit and processing unit are all in disable state.
In preferred embodiment of the present invention, under above-mentioned first order safe condition, computer system adopts the first operating system work.This first operating system can be the master operating system that computer system is equipped with, for example Windows operating system.
Step S3, is set under the safe condition of the second level of start detection unit according to instruction computer system;
In preferred embodiment of the present invention, under the safe condition of the above-mentioned second level, enable detection unit, processing unit is still in disable state.
In preferred embodiment of the present invention, under the safe condition of the second level, computer system still adopts above-mentioned the first operating system work.
Step S4, is set in starting under the third level safe condition of processing unit according to instruction computer system.
In preferred embodiment of the present invention, under above-mentioned third level safe condition, enable processing unit, and close processor, so that processing unit replaces processor work.
In preferred embodiment of the present invention, under above-mentioned third level safe condition, computer system adopts one second operating system work, and this second operating system can be the operating system of independent research, can be also the (SuSE) Linux OS that other operating systems of increasing income are for example increased income.
In preferred embodiment of the present invention, when computer system is under the safe condition of the second level and while adopting the first operating system work, processor calls addressing interception unit to set a plurality of suspicious memory addresss corresponding to suspicious executable instruction.Subsequently, when having outside addressing request to be sent to processor, first judge comprising memory address whether be matched with suspicious memory address, and interception is matched with the addressing request of suspicious memory address.
Above-mentioned steps specifically comprises:
Step S31, is arranged at computer system under the safe condition of the second level according to instruction;
Step S32, controls computer system according to instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the addressing interception unit running in the first operating system by the corresponding storage address information of a plurality of executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of processor comprises and whether to be matched with suspicious storage address information:
If the storage address information that addressing request comprises is matched with suspicious storage address information, go to step S35;
If the storage address information that addressing request comprises does not match suspicious storage address information, return to step S34;
Step S35, interception addressing request, and return to step S34.
In sum, goal of the invention of the present invention is, by the state set unit being integrated on South Bridge chip, receives the safe condition that the outside steering order of inputting is carried out switching computer system, specifically comprises:
First order safe condition: computer system adopts the first operating system normally to work.
Second level safe condition: enable the detecting unit in South Bridge chip, detect and tackle the disable instruction and/or the harmful data that are sent to processor.Now the overall performance of computer system can't decline, but because detecting unit is in enabled state continuous firing, so the power consumption of computer system may slightly rise.
Under the safe condition of the second level, along with attacking the pernicious of instruction, progressively promote, by enabling addressing interception unit, will need the memory address of executable instruction of the processor internal preset of conductively-closed to be set as suspicious memory address, shielding be subsequently sent to the addressing request that requires these suspicious memory addresss of addressing of processor.Now, owing to having shielded part executable instruction default in processor, therefore can reduce to a certain extent the handling property of processor.
Third level safe condition: enable the processing unit in South Bridge chip, close processor simultaneously, processing unit adopts the second operating system to replace processor work.Now, owing to adopting performance processing unit lower but that safety coefficient is higher to replace high-performance processor chip operation, therefore on handling property, further reduce.Therefore, this safe condition is only just switched and arranges may be subjected to when very serious instruction is attacked, and with the cost of sacrificial section processor performance, builds the computer system running environment that safety coefficient is high.
In preferred embodiment of the present invention, when the possibility of instruction attack is reduced to normal condition, computer system is re-set as under first order safe condition, to close detecting unit and processing unit, open processor, recover the normal work of computer system.
In preferred embodiment of the present invention, above-mentioned addressing interception unit also can example, in hardware be implemented in computer system.
In preferred embodiment of the present invention, above-mentioned the first storage unit 14 also can be independent of South Bridge chip 1 (not shown) is set, and processing unit 12 can be by South Bridge chip 1 access the first storage unit 14.
The foregoing is only preferred embodiment of the present invention; not thereby limit embodiments of the present invention and protection domain; to those skilled in the art; should recognize that being equal to that all utilizations instructions of the present invention and diagramatic content done replace and the resulting scheme of apparent variation, all should be included in protection scope of the present invention.
Claims (8)
1. a South Bridge chip, is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; It is characterized in that, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
State set unit, connect an outside input block, and connect respectively described detecting unit and described processing unit, for the steering order of inputting according to described input block, the safe condition of described computer system is set to the first order safe condition of the normal work of computer system, or the second level safe condition of enable detection unit, or enable the third level safe condition of described processing unit.
2. South Bridge chip as claimed in claim 1, is characterized in that, described state set unit, when described computer system is set in described third level safe condition, is closed described processor.
3. South Bridge chip as claimed in claim 1, is characterized in that, also comprises:
The first storage unit, connects described processing unit, for preserving a second default operating system;
Described the second operating system is lowered in order to control described computer working at described third level safe condition for described processing unit.
4. South Bridge chip as claimed in claim 1, is characterized in that, is preset with a plurality of executable instructions in described processor;
Described the first operating system is called by described processor under the safe condition of the described second level;
Described South Bridge chip also comprises:
Addressing interception unit, runs under described the first operating system, for the corresponding storage address information of a plurality of described executable instruction that defaults in described processor of needs shielding is set as to suspicious storage address information, and
The storage address information that the addressing request that is sent to described processor is comprised is mated with described suspicious storage address information, and interception is matched with the described addressing request of described suspicious storage address information.
5. an application process for South Bridge chip, described South Bridge chip is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; It is characterized in that, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
The application process of described South Bridge chip specifically comprises:
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to the described computer system of described instruction;
Step S3, is set in starting under the second level safe condition of described detecting unit according to the described computer system of described instruction;
Step S4, is set in starting under the third level safe condition of described processing unit according to the described computer system of described instruction.
6. the application process of South Bridge chip as claimed in claim 5, is characterized in that,
In described step S2, described computer system adopts one first operating system to work under described first order safe condition;
In described step S3, described computer system adopts described the first operating system to work under the safe condition of the described second level;
In described step S4, described computer system adopts one second operating system to work under described third level safe condition.
7. the application process of South Bridge chip as claimed in claim 5, is characterized in that, in described step S4, under described third level safe condition, described processor is closed, and described processing unit substitutes described processor work.
8. the application process of South Bridge chip as claimed in claim 6, is characterized in that, is preset with a plurality of executable instructions in described processor;
Adopt described the first operating system that the corresponding storage address information of a plurality of described executable instruction defaulting in described processor of needs shielding is set as to suspicious storage address information;
Described step S3 specifically comprises:
Step S31, is arranged at described computer system under the safe condition of the described second level according to described instruction;
Step S32, controls described computer system according to described instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the described addressing interception unit running in described the first operating system by the corresponding storage address information of a plurality of described executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of described processor comprises and whether to be matched with described suspicious storage address information:
If the described storage address information that described addressing request comprises is matched with described suspicious storage address information, go to step S35;
If the described storage address information that described addressing request comprises does not match described suspicious storage address information, return to described step S34;
Step S35, tackles described addressing request, and returns to described step S34.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410186552.6A CN103984908B (en) | 2014-05-05 | 2014-05-05 | A kind of South Bridge chip and its application process |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410186552.6A CN103984908B (en) | 2014-05-05 | 2014-05-05 | A kind of South Bridge chip and its application process |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103984908A true CN103984908A (en) | 2014-08-13 |
CN103984908B CN103984908B (en) | 2017-03-08 |
Family
ID=51276872
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410186552.6A Expired - Fee Related CN103984908B (en) | 2014-05-05 | 2014-05-05 | A kind of South Bridge chip and its application process |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103984908B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104460943A (en) * | 2014-12-16 | 2015-03-25 | 上海新储集成电路有限公司 | Energy saving computer system and application method thereof |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030028781A1 (en) * | 2001-05-10 | 2003-02-06 | Strongin Geoffrey S. | Mechanism for closing back door access mechanisms in personal computer systems |
CN100470485C (en) * | 2007-05-09 | 2009-03-18 | 浙江大学 | Method for realizing multiple operation system synergistic working |
US8296768B2 (en) * | 2007-06-30 | 2012-10-23 | Intel Corporation | Method and apparatus to enable runtime processor migration with operating system assistance |
-
2014
- 2014-05-05 CN CN201410186552.6A patent/CN103984908B/en not_active Expired - Fee Related
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104460943A (en) * | 2014-12-16 | 2015-03-25 | 上海新储集成电路有限公司 | Energy saving computer system and application method thereof |
CN104460943B (en) * | 2014-12-16 | 2018-08-28 | 上海新储集成电路有限公司 | A kind of energy-saving computer system and its application process |
Also Published As
Publication number | Publication date |
---|---|
CN103984908B (en) | 2017-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20140229717A1 (en) | Binary translator driven program state relocation | |
US20150095628A1 (en) | Techniques for detecting return-oriented programming | |
CN104217157B (en) | A kind of anti-Application way of leak and system | |
JP6189039B2 (en) | Data processing apparatus and method using secure domain and low secure domain | |
JP2015503815A (en) | Dynamic execution prevention to suppress return-oriented programming | |
US8615806B2 (en) | Apparatus and method for detecting a code injection attack | |
TW201506788A (en) | Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware | |
US10802989B2 (en) | Detecting data corruption by control flow interceptions | |
EP3308314B1 (en) | Secure mode state data access tracking | |
EP2891104A1 (en) | Detecting a malware process | |
US10664178B2 (en) | Integrity protection for system management mode | |
US9965620B2 (en) | Application program interface (API) monitoring bypass | |
JP6199528B1 (en) | Integrated circuit and method for detection of malicious code in a first level instruction cache | |
CN108124476B (en) | Display method and apparatus for multi-operating system, computer device, and storage medium | |
CN103984908A (en) | South bridge chip and application method thereof | |
US11144217B2 (en) | Data protection method and associated storage device | |
CN103927477A (en) | Safety mainboard and application method thereof | |
US11914724B2 (en) | Systems and methods for adjusting data protection levels based on system metadata | |
RU2538286C9 (en) | Method of launching hypervisor in computer system at early computer booting stage | |
RU129675U1 (en) | COMPUTER TO START A THIN HYPERVISOR IN UEFI AT AN EARLY STAGE OF LOADING A COMPUTER | |
CN203775245U (en) | A network attack filter device capable of preventing self-configuration from being tampered | |
US9690942B2 (en) | SIO device with SPI bus gateway controller for write protection | |
US20200285544A1 (en) | System protecting data stored on nvdimm devices after bios update | |
US8474045B2 (en) | Method of detecting program attacks | |
RU101555U1 (en) | TRUST DOWNLOAD DEVICE |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170308 |